OpenNMS Bug Steals Knowledge, Triggers Denial of Service



Maintainers of OpenNMS patched a high-severity vulnerability in each the community-supported and subscription-based variations of the broadly used open supply community monitoring software program.

The XML exterior entity (XXE) injection vulnerability provides attackers a strategy to exfiltrate information from the OpenNMS file server system, ship arbitrary HTTP requests to inner and exterior providers, and set off denial-of-service circumstances on affected techniques.

Platform Trusted by Cisco, GigaComm, Others

Researchers from Synopsys found the vulnerability in June and reported it to the maintainers of OpenNMS, who launched a patch final week.

CVE-2023-0871 impacts each Meridian and Horizon, the subscription-based and community-supported, respectively, variations of the OpenNMS community monitoring platform,” says Ben Ronallo, vulnerability administration engineer for Synopsys. “This platform is trusted by corporations like Cisco, GigaComm, Savannah River Nuclear Options (SRNS), in addition to others in CISA’s Vital Infrastructure Sectors,” he provides.

Organizations use OpenNMS to observe their native and distributed networks for a wide range of makes use of, together with efficiency administration, site visitors monitoring, fault detection, and alarm technology. The Java-based platform helps the monitoring of each bodily and digital networks, functions, servers, enterprise efficiency indications, and customized metrics.

The free model of OpenNMS Horizon is a community-driven mission that features lots of the identical options because the subscription-based OpenNMS Meridian model. Nevertheless, it lacks the assist and simpler launch and replace cycles obtainable with the subscription model.

Permissive XML Parser

In accordance with Synopsys, CVE-2023-0871 stems from a permissive XML parser configuration that makes the parser vulnerable to XML exterior entity assaults. An XML parser configuration is permissive if, for instance, it permits exterior information and URLs to be referenced inside XML. XXE vulnerabilities, like these found by Synopsys, enable an attacker to primarily intervene with an software’s processing of XML information.

“CVE-2023-0871 is an XXE injection assault, which leverages the default credentials for the Realtime Console (RTC) REST API,” Ronallo says. “This assault modifies trusted XML information by anticipating how the info is processed.” This allows an attacker to probably compromise different bodily and/or digital techniques, view information on the system operating the weak app, or make HTTP requests to different techniques through Server-Facet Request Forgery (SSRF), he notes.

The OpenNMS mission described the vulnerability as affecting OpenNMS Horizon 31.0.8 and variations previous to 32.0.2 on a number of platforms. The maintainers of the mission urged organizations utilizing affected variations of the software program to replace to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38, or Horizon 32.0.2 or newer. The alert reminded organizations to not make OpenNMS straight accessible over the Web and to make sure that it’s put in and used solely with a company’s inner community.

“Assuming customers of the platform adhere to OpenNMS’ advice to solely set up inside non-public networks, the chance of this assault succeeding is diminished to malicious insiders,” Ronallo says. This might embrace a compromised consumer or a disgruntled worker. “Nevertheless, if efficiently exploited, this vulnerability might result in system compromise.”

CVE-2023-0871 is one among a number of vulnerabilities that researchers have uncovered in OpenNMS up to now this 12 months. Among the many extra critical of them are CVE-2023-0870, a cross-site request forgery situation with a CVSS rating of 8.1, and current in a number of variations of OpenNMS Horizon and Meridian and CVE-2023-0846, an unauthenticated, cross-site scripting vulnerability in each OpenNMS variations.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles